Cyber Security News

Sapphire Werewolf Upgrades Arsenal With Amethyst Stealer Targeting Energy Firms

Sapphire Werewolf has introduced a potent new weapon into its cyber arsenal, unveiling the latest iteration of the Amethyst stealer in a calculated phishing attack against an energy firm.

According to the Report, the operation cunningly disguises a malicious payload as a mundane HR memo.

The threat actor begins its attack with a fraudulent email, purporting to come from an HR department.

Attached is what appears to be an ‘official memo archive’ in a .rar file (Служебная записка .rar), containing an executable (Служебная записка .exe) masquerading as a PDF document.

This file, written in C# and shielded with .NET Reactor, serves less as a document and more as a loader for a sophisticated piece of malware.

Sapphire Werewolf Sapphire Werewolf
Phishing email

Advanced Evasion Techniques

Amethyst’s enhancements in version control and evasion techniques are exceptionally noteworthy:

  • VM Detection: The stealer has integrated numerous checks to confirm if the compromised environment is virtual, including:
  • Examining specific file descriptors typical to VirtualBox VMs.
  • Checking for VMware Tools installation through registry keys.
  • Investigating hardware details like the manufacturer and model via WMI.
  • Looking for signatures of virtualization through the processor, motherboard details, and BIOS serial number.
  • Performing detailed hardware checks, including disk model and ID and plug-and-play devices.
  • Verifying and analyzing services running on the system for signs of a VM.
  • Checking when VM-related registry keys were last modified to identify if evasion policies have been enforced.
  • Triple DES Encryption: A significant shift in string encryption, where Amethyst employs Triple DES, a symmetric encryption algorithm typically used for securing electronic data transmissions. Unlike prior versions, where encryption covered the entire payload, this version encrypts nearly every string that feeds into function calls, ensuring that only minimal, obfuscated data remains in memory.

Extraction and Exfiltration

The Amethyst stealer’s scope of operation is equally formidable:

  • Stealing Credentials: The malware targets credentials from Telegram, an array of browsers including Chrome, Opera, Yandex, Brave, Orbitum, Atom, Kometa, and Edge Chromium, as well as FileZilla and SSH clients. It extends its reach to remote desktop protocols and VPN clients’ configuration data, looking for stored credentials and sensitive documents on both local and removable storage mediums.
  • Data Staging and Compression: Post-data collection, Amethyst stashes the stolen data in a specific folder on the infected system. Here, it utilizes Ionic’s Zip Library to compress the information into a manageable package. It proceeds to upload the compressed data to a C2 server, sending along the system’s IP address and a string indicating whether the machine is virtual or not.
  • Decoy Content: To further mislead, Amethyst extracts and displays a decoy PDF document, perhaps to lull the victim into a false sense of security.
Example of decoy contents

Indicators of Compromise

Several indicators can be used to identify infections:

  • Hashes:
  • 93d048364909018a492c8f709d385438
  • 94034e04636bc4450273b50b07b45f636ff59b05
  • 4149b07d9fdcd04b34efa0a64e47a1b9581ff9d1f670ea552b7c93fb66199b5f
  • C2 URLs:
  • hxxp://canarytokens.com/traffic/tags/static/xjemqlqirwqru9pkrh3j4ztmf/payments.js
  • wondrous-bluejay-lively.ngrok-free.app

The enhancement of Sapphire Werewolf’s capabilities to target the energy sector with such advanced tools indicates a deliberate escalation in their operations.

This development calls for a corresponding escalation in defensive measures:

  • Suspicious Execution: Organizations should be vigilant for signs of suspicious executables being run from unusual locations like the %Temp% folder or with names resembling system files from unexpected directories.
  • Unusual Scheduled Tasks: Detecting the creation of atypical scheduled tasks can provide early warning signals.
  • Access to Sensitive Files: Monitoring for unexpected access to sensitive files through processes that do not usually interact with such data.

The deployment of Amethyst by Sapphire Werewolf underlines the importance of heightened cybersecurity measures, particularly in critical infrastructure like energy sectors.

Organizations are advised to implement comprehensive EDR rules, vigilant monitoring, and robust endpoint protection to detect and mitigate such sophisticated threats.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Threat Actors Weaponizing DCOM to Harvest Credentials on Windows Systems

Threat actors are now leveraging the often-overlooked Component Object Model (COM) and its distributed counterpart,…

5 minutes ago

VenomRAT Malware Introduces New Tools for Password Theft and Stealthy Access

A malicious cyber campaign leveraging VenomRAT, a potent Remote Access Trojan (RAT), has been uncovered,…

13 minutes ago

SilentWerewolf Attack Combines Legitimate Tools with Code Obfuscation for Stealthy Infiltration

The threat actor dubbed SilentWerewolf has employed advanced phishing techniques to infiltrate organizations in Russia…

34 minutes ago

Emerging FormBook Malware Threatens Windows Users with Complete System Takeover

A critical cybersecurity threat has surfaced targeting Microsoft Windows users, as detailed in the latest…

40 minutes ago

Hackers Circulate Over 93 Billion Stolen User Cookies on the Dark Web

Web cookies, those ubiquitous pop-ups we routinely dismiss with a click, are small text files…

2 hours ago

Robinhood Ransomware Operator Arrested for Attacks on Government and Private Networks

On May 27, 2025, Iranian national Sina Gholinejad, 37, pleaded guilty in a North Carolina…

2 hours ago